The issues that surround cybersecurity and the broader concept of increased regulations for cyber tech have been a hotly debated topic around the world. At a national level, many countries don’t have actual laws dealing with cybersecurity. Instead, there is a smattering of rules and regulations that have developed over time due to growing cyber threats. This makes it extremely difficult to keep track of regulatory and compliance obligations. While there have been a few initiatives, they haven’t turned into proper laws.
Take it one step further. There are few regulations for cybersecurity tech and even fewer for the people who use and misuse it. What happens when cyber tech falls into the wrong hands?
In the case of Israeli cyber firm NSO Group and its controversial Pegasus software, the issue of responsibility remains unclear. NoCamels asked one legal expert and two cybersecurity experts to weigh in with their thoughts.
“[Pegasus] is such a magnificent tool. And you shouldn’t blame it,” says Einat Meyron, a cyber resilience expert that helps companies through the process of preparing and handling cyber risks in the business sphere, “Let’s be more accurate,” she continues, “It was put in the right hands because the police are the authority that should have these capabilities. The police had the right to use it, but somewhere in the chain of command, someone took the liberty to do it according to his or her views and not according to proper procedure.”
In the first month of 2022, NSO’s Israeli founders found themselves in hot water — again — this time in their native country, as Israeli financial daily Calcalist ran a scathing report revealing that the Israel Police uses NSO’s Pegasus spyware “to remotely hack phones of Israeli citizens, control them, and extract information from them. Mayors, leaders of political protests, former governmental employees, and even former Prime Minister Benjamin Netanyahu were on the list. Later, Calcalist ran a surveillance list of people whose phones were hacked by NSO, including (now former) ministries of transport, finance, and justice, Bezeq CEOs Dudu Mizrahi, and Stella Hendler, and even journalists from Israel’s Walla! news site.
It was reported that the hacks were not done under court supervision and the police did not request a search or bugging warrant to conduct the surveillance. There was no surveillance of the collected data, the way the police used it, and how it would be distributed to other investigative agencies, like the Tax Authority.
The Israel Police denied the allegations as Israel set up an inquiry to examine reports of the violations.
As the world continues to grapple with these developments, amid the global push for data privacy standards, in Israel, a cybersecurity powerhouse, questions abound as to the contract between cyber companies and their users, of the tech that is being used to infiltrate and of the rights of the people whose devices are infiltrated.
What privacy standards are at stake? And what is the future of cyberprivacy if there are tools out there that infiltrate computers, mobile devices, serves, and the cloud, without justification? And the biggest question of all…
Who is responsible?
From a legal privacy perspective, Prof. Michael Birnhack, a professor of law at Tel Aviv University and a privacy activist, tells NoCamels that there are many “question marks.”
“The police are a public entity,” he says, “They are supposed to work for us. And we have a public interest in a well functioning and efficient police, but one that operates within the contours of the law and respects privacy. That makes some difficult balances here.. NSO as long as they act within the law, is a legitimate company. I’m not speaking about morality or preferences. From a legal point of view, as long as they operate within the law, they are legitimate.”
Sign up for our free weekly newsletter
Subscribe“I think it’s a very broad question,” says Michael Assraf, CEO of US-Israeli cybersecurity startup Vicarius, referring to the controversy behind NSO Group’s surveillance technology. He tells NoCamels that while software can be used for national defense, it can also be abused for the wrong reasons. “The question we are wrestling with is, who do you hold accountable for this: the companies that provide the platform or the individuals that use it?”
Assraf, the CEO of a cyber defense firm that just raised $24 million in a Series A funding round this month, says that a new social media platform his company is currently developing has compelled the team to ask these kinds of questions about the future product. The company, which provides enterprises with tools to eliminate threats and remediate security vulnerabilities, is planning to launch that platform for security engineers where they will be able to exchange opinions while deploying scripts that can be used by everyone on the platform.
“We were discussing internally about what’s going on with NSO because it’s a question you may also ask about Facebook or any other social platform. In the end, there’s a platform where people can publish their own content, but what if this content is malicious or controversial? One can say that it’s not the platform’s responsibility, others can say it is, and we see the results of such incident just like what happened with Spotify,” he says, referring to the controversy with Joe Rogan’s podcast where he had guests that gave out nonfactual information about COVID-19 and vaccines.
“We’re a vulnerability remediation company. We wish to open some of this proprietary information to the public to assist the community with free resources. The remediation strategies and some of the resources that we give our clients are going to be things that we also provide to the public. If someone were to search how to fix this vulnerability on Google, they will get a link to our website and they will be able to see the remediation script and all the information about the vulnerability from one of the users on the platform. Of course, it can be misused. But again, it goes back to responsibility. We’re putting it on our website like we’re putting it on this platform, and we’re allowing everyone to add to it. But we’re not necessarily responsible for the content that people are sharing. Of course, if it’s illegal that’s a different story.”
There’s the whole analogy of the gun falling into the wrong hands, Meyron tells NoCamels. “The F16 [machine gun] is a very useful weapon to have to protect the citizen, right? So if I’m using it properly, against a hostile society, it’s a great tool. But if I’m pointing it to the civilian population that didn’t do anything, it’s harmful,” she explains, “The tool itself is very important. Think of the complexity of having software like Pegasus — it’s supposed to track the human bomber, the person who is going to blow himself up within a population. It’s a very important tool for finding the right person. It’s precise.I can’t say the technology is bad because it is used for so many things — military activities, suicide bombers, even fraud or criminal activities. It’s a very important tool but as soon as you see that it’s not being used according to what is proper and no one is putting regulations on it, it becomes less helpful.”
“To the best of my legal understanding, the Israeli police do not have any legal authorization to use spyware. And I do believe that the police must have statutory authorization in order to use it,” says Prof. Birmhack. “They have some powers, as they should, to conduct searches or various kinds to conduct wiretapping, etc, they do have some powers, with detailed procedures. And these procedures, are supposed to ensure that these measures are used only when needed, only to the extent needed, that they are not abused or misused and that there is sufficient judicial supervision or oversight.”
Cyber backlash
Following the backlash from the NSO scandal, Israel promised to narrow the list of countries eligible to purchase such spyware, possibly dropping countries like Morocco, Saudi Arabia, and more.
Earlier this month, it was reported that Israel had frozen export licenses for technology that can be used to carry out cyberattacks amid the widening scandal.
But will there be a blow to Israel’s cybersecurity sector? Probably not,, says Meyron.
“A great example is that everyone knows about [elite IDF intelligence unit] Shmoneh Matayim (Hebrew). Notice I didn’t say 8200, because it’s common knowledge that its Shmoneh Matayim. It’s a name that everyone knows and we know of their unique capabilities. Everyone also knows that Israel has the capability to blow up Iranian nuclear facilities. It’s not a surprise to anyone. I don’t think this incident is going to change that.”
Facebook comments